[THIN] Re: Users installing programs

From: Frank Monroe <Frank.Monroe@xxxxxxxxxxx>

To: "'thin@xxxxxxxxxxxxx'" <thin@xxxxxxxxxxxxx>

Date: Thu, 9 Sep 2004 09:42:44 -0500

Also, you can fix most of the problems due to programs writing into HKLM and
Program Files by finding ways to move these to other locations. This can be
done in some cases from within the application. In others, you can use the
Application Compatibility LUA Settings which will redirect attempts to write
to HKLM, HKCR or directories such as Program Files into the users registry
and profile.
We have hundreds of applications on our servers and it was not a big deal to
fix the problem applications. We also have most of our users on terminal
servers rather than desktops.
-----Original Message-----
From: Joel Stolk [mailto:JStolk@xxxxxxxxxxxxxxxx]
Sent: Thursday, September 09, 2004 10:28 AM
To: thin@xxxxxxxxxxxxx
Subject: [THIN] Re: Users installing programs
That sounds like a big administrative hassle to me. We used to manage NTFS
read-only permissions on \Program Files and \Windows folders on the servers,
but with as many server and apps as we have, it was a big PITA. We now use
hidden drives and the GPO settings I mentioned before, and the registry
security. We have a ton of other GPO restrictions, about 12 pages worth
printed out. Our users complained at first, but we have almost eliminated
end user generated help desk calls.
The best thing to do would be to set up a server in the lab see what
combination works best for you. Test different approaches and see what you
can break. There will always be some way to mess up a terminal server, but
you can eliminate about 99% of the problems.
-Joel
_____
From: thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] On Behalf
Of Jim Abshire
Sent: Thursday, September 09, 2004 9:12 AM
To: thin@xxxxxxxxxxxxx
Subject: [THIN] Re: Users installing programs
My colleague wants to set read only permissions on the root and try to go
back and allow what needs write access on the servers. I have told him doing
so will be a huge mistake because there are so many files in different
places that finding them all would be a nightmare. I wanted to share this
with everyone so I am not alone when I approach my boss and colleague with
more emphasis on using a more logical approach. Any input will be greatly
appreciated.
-----Original Message-----
From: Joel Stolk [mailto:JStolk@xxxxxxxxxxxxxxxx]
Sent: Thursday, September 09, 2004 9:04 AM
To: thin@xxxxxxxxxxxxx
Subject: [THIN] Re: Users installing programs
It will run for admins if you enable the policy setting to do so.
_____
From: thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] On Behalf
Of Jim Abshire
Sent: Thursday, September 09, 2004 8:55 AM
To: thin@xxxxxxxxxxxxx
Subject: [THIN] Re: Users installing programs
Good point.
-----Original Message-----
From: Frank Monroe [mailto:Frank.Monroe@xxxxxxxxxxx]
Sent: Thursday, September 09, 2004 8:37 AM
To: 'thin@xxxxxxxxxxxxx'
Subject: [THIN] Re: Users installing programs
Keep in mind, Windows Installer doesn't run in a terminal server session, so
if stuff is being installed, its not via windows installer anyway.
-----Original Message-----
From: Jim Abshire [mailto:Jim.Abshire@xxxxxxxxxxx]
Sent: Thursday, September 09, 2004 9:30 AM
To: thin@xxxxxxxxxxxxx
Subject: [THIN] Re: Users installing programs
Thanks Joel but I checked and that policy is already in place, enabled. I'm
thinking about looking into the HKLM read only and the Full Security mode
that a couple of people have requested. My concerns are other programs such
as Office and Adobe will not work.
-----Original Message-----
From: Joel Stolk [mailto:JStolk@xxxxxxxxxxxxxxxx]
Sent: Wednesday, September 08, 2004 4:59 PM
To: thin@xxxxxxxxxxxxx
Subject: [THIN] Re: Users installing programs
The locations are:
Computer Settings/Windows Components/Windows Installer/Policy
Setting/Prohibit User Installs
User Settings/Windows Components/Internet Explorer/Browser menus/Disable
Save this program to disk
These come from the out of box ADM templates that come with the GPMC with
SP1 from Microsoft.
If you need the GPMC go to
http://www.microsoft.com/downloads/details.aspx?FamilyId=0A6D4C24-8CBD-4B35-
9272-DD3CBFC81887
<http://www.microsoft.com/downloads/details.aspx?FamilyId=0A6D4C24-8CBD-4B35
-9272-DD3CBFC81887&displaylang=en> &displaylang=en
-Joel
_____
From: thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] On Behalf
Of Jim Abshire
Sent: Wednesday, September 08, 2004 4:46 PM
To: thin@xxxxxxxxxxxxx
Subject: [THIN] Re: Users installing programs
I have searched the GPO but cannot find either of these policies, is there
a specific .adm I need to load?
-----Original Message-----
From: Joel Stolk [mailto:JStolk@xxxxxxxxxxxxxxxx]
Sent: Wednesday, September 08, 2004 4:43 PM
To: thin@xxxxxxxxxxxxx
Subject: [THIN] Re: Users installing programs
One quick tip I can think of is to change the permissions in the registry on
the HKLM\Software key to read only for the users. A lot of program installs
will fail and/or not execute if they cannot write information to this key.
Also, a GPO or local policy to Prohibit User Installs (under Computer
Configuration) could help. Additionally, use a GPO or local policy to not
allow downloads from Internet Explorer.
-Joel
_____
From: thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] On Behalf
Of Jim Abshire
Sent: Wednesday, September 08, 2004 2:54 PM
To: thin@xxxxxxxxxxxxx
Subject: [THIN] Users installing programs
I have a question, I work for a property management company and we provide
Internet via Citrix to students. I have tried desperately to lock down the
servers but they seem to still be able to install Internet based programs,
(e.g. AOL instant messenger, Poker Party, etc) to name a few. Is there a way
to lock the server down tight so this cannot continue without prohibiting
the users to run necessary programs such as Office?
Jim Abshire
Network Administrator
Dinerstein Management
713-570-0373
++++++CONFIDENTIALITY NOTICE++++++
The information in this email may be confidential and/or privileged. This
email is intended to be reviewed by only the individual or organization
named above. If you are not the intended recipient or an authorized
representative of the intended recipient, you are hereby notified that any
review, dissemination or copying of this email and its attachments, if any,
or the information contained herein is prohibited. If you have received this
email in error, please immediately notify the sender by return email and
delete this email from your system.
++++++CONFIDENTIALITY NOTICE++++++
The information in this email may be confidential and/or privileged. This
email is intended to be reviewed by only the individual or organization
named above. If you are not the intended recipient or an authorized
representative of the intended recipient, you are hereby notified that any
review, dissemination or copying of this email and its attachments, if any,
or the information contained herein is prohibited. If you have received this
email in error, please immediately notify the sender by return email and
delete this email from your system.
++++++CONFIDENTIALITY NOTICE++++++
The information in this email may be confidential and/or privileged. This
email is intended to be reviewed by only the individual or organization
named above. If you are not the intended recipient or an authorized
representative of the intended recipient, you are hereby notified that any
review, dissemination or copying of this email and its attachments, if any,
or the information contained herein is prohibited. If you have received this
email in error, please immediately notify the sender by return email and
delete this email from your system.
++++++CONFIDENTIALITY NOTICE++++++
The information in this email may be confidential and/or privileged. This
email is intended to be reviewed by only the individual or organization
named above. If you are not the intended recipient or an authorized
representative of the intended recipient, you are hereby notified that any
review, dissemination or copying of this email and its attachments, if any,
or the information contained herein is prohibited. If you have received this
email in error, please immediately notify the sender by return email and
delete this email from your system.